Step 5: Create the HDFS Superuser

To be able to create home directories for users, you will need access to the HDFS superuser account. (CDH automatically created the HDFS superuser account on each cluster host during CDH installation.) When you enabled Kerberos for the HDFS service, you lost access to the HDFS superuser account using sudo -u hdfs commands. To enable your access to the HDFS superuser account now that Kerberos is enabled, you must create a Kerberos principal or an AD user whose first component is hdfs:

If you are using Active Directory

Add a new user account to Active Directory, hdfs@YOUR-REALM.COM. The password for this account should be set to never expire.

If you are using MIT KDC

  1. In the kadmin.local or kadmin shell, type the following command to create a Kerberos principal called hdfs:
    kadmin:  addprinc hdfs@YOUR-LOCAL-REALM.COM
  2. To run commands as the HDFS superuser, you must obtain Kerberos credentials for the hdfs principal. To do so, run the following command and provide the appropriate password when prompted.
    $ kinit hdfs@YOUR-LOCAL-REALM.COM